Examples Templates Store Pricing Docs Turbo CSS Blog Introducing Turbo UI Named buckets Turbo CSS is Tailwind CSS on steroids Introducing Turbo CSS, the most advanced web-design language Calculate how much storage you use Better login system Collaboration settings Filesystem and Database are not cutting the problem space right What I'm working on 64bit File node IDs New how-to videos Creating buttons gets easier Introducing reusable components HTTPS by default Introducing the Boomla Theme CDN for faster pageloads Write your own website builder on top of Boomla On On composition Shared admin access A fresh config editor Building a multi-purpose theme A filesystem to replace your CMS New file link type: scope Mobile editing support Inline file wrapping changed Package sandboxing New PHP-like JavaScript engine [sjs-4e] Send emails to the website owner New JavaScript engine [sjs-4] A better editing experience New email service provider Glossary and other changes New panel changes Improved registration flow Boomla goes multiplayer Using local dev tools Why Boomla doesn't need Git File Panel Let's build a community Automatic updates Improved sjs-3 API New Frontend CSS modules Work offline with Boomla Faster page loads via caching Drag & drop supercharged Supporting CommonJS modules  Paranoid about loosing data IDE usability improvements Simple App install flow Meetups in Budapest Goodbye broken links Flow control from user space Customizing apps Contextmenu support for apps Deprecating the .Class file Hello Changelog Embedding 3rd party plugins Introducing Tools Installing apps just got amazing Public beta Host on our servers Simple deploy with push/pull Version Control for the Web 350M files on a 1TB disk 2 weeks in review
Control Panel
Warning: the .Trust file was superseeded by the .ContentSecurityPolicy file.


Embedding 3rd party plugins


As of Boomla v0.3.0, you can embed 3rd party plugins into your pages, like Youtube videos, Google Maps, Disqus comments, Google Analytics, etc.

Our solution is both safe and simple.


To enable Youtube videos, you have to

  • place a file named .Trust (dot, uppercase!) into the file referencing the video,

  • with the contents www.youtube.com.

  • Coomit your changes. That’s it!

Same goes for other services, just use different domains. If you need to reference more domains, just put them on new lines.

The rest of this document is only for tech savvy people.




How it works

What you are editing via the .Trust file is the Content-Security-Policy HTTP header your website is returning in every request.

If you are familier with Content-Security-Policy directives, you can specify directive values more specifically. For example, to enable loading Bootstrap from CDN, you could write


script-src maxcdn.bootstrapcdn.com; style-src maxcdn.bootstrapcdn.com

While it’s nice to be more specific, it often means you have to do more research on what a service needs, and you are going to enable everything it need anyway, so what’s the benefit of the extra work?

For that reason, you can instead just write maxcdn.bootstrapcdn.com and Boomla will expand it for you with the proper syntax.


Note that you must commit your .Trust file to take effect. Here is why. Assume your website is compromised and a hacker succeeds in placing a malicious script with a .Trust file on your site. That script (virus) will not work so long you haven’t approved it. When commiting, you will be prompted about any additions to your .Trust files. Thus, to hack your site, hackers will need your permission!

So, Boomla will only trust external vendors which are present in your latest commit. Note that if you have multiple Youtube videos, you will not need to commit every single .Trust file. Having one commited is enough.

Writing apps

If you are writing or using a Boomla app that relies on 3rd party services, you can add the .Trust file centrally to your app, so you won’t need to enable every single file of this file type. If you are to install the app, you will also need to commit the .Trust file.

Keeping things in order

Note that Boomla is not using a central file to enable Content-Security-Policy directives. This is crucial, because this way you will not need to do extra adminstrative work when installing or uninstalling apps, or removing a content that was trusting a 3rd party service provider. The trust will be removed with the content or the app.

Keeping your website fast

Note that the Content-Security-Policy HTTP header will only be populated according to .Trust files that are relevant to the response. This means any files that were rendered on the page and any apps that were used for rendering them.



you can follow me on Twitter